Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Slashback

Slashback: Efficiency,Observation,WEP 99

Slashback brings you updates and additional notes on recent Slashdot stories. Tonight that means more on computers playing chess, on judges who don't like being monitored in the workplace (too bad!), and on the (less totally spectactular, still bad) cracking of 802-Errr, something.

Sargon Deep Fritz playing a person may be more cutting edge (and take a lot more processor power), but it seems like an awful lot of resources to spend on playing chess. Alex Bischoff writes: "From the February 1983 issue of "Your Computer", it's chess in 1 KB (for your brand-new ZX-81)."

But sir, even the judges are objecting! saulgood writes "the NY Times is carrying a further article here, about the revolt amongst some judges over their ability to look at Britney Spears and download Metalica mp3's at work... that's right - Power to the People Baby!!! No justice, No peace..."

Take that -- no, please, take that. Bob Lee writes:

"I authored the open source program Code Red Vigilante. This is an open effort to inform the public about the dangers of the Code Red worms and to specifically notify the owners of infected machines ... Vigilante is featured on Incidents.org, OnJava.com, TheServerSide.com, and it will be on the ScreenSavers on TechTV on next Monday.

Not to put too fine a point on it ... Jeffrey Fanelli of Sniffer Technologies writes: "Just to clarify on your story, that intern didn't crack 802.11x, but WEP in a 802.11b environment. 802.11x is a recently developed standard extension to Radius and 802.11 to allow for dynamic keys to be generated per user session. 802.11x uses the same WEP RC4 encryption, but makes it far more difficult to crack given the fact that all nodes associated with a particular Access Point will have a unique session based KEY (a key which, I might add, the user of the Mobile Unit in question cannot themselves identify).

This discussion has been archived. No new comments can be posted.

Slashback: Efficiency,

Comments Filter:
  • So does that mean I can go to the local library and go dl some pr0n?
  • Computer viruses are becoming more and more like real viruses and other pathogens. Inside all of us, there are viruses and bacteria that our body tolerates, because they either are symbiotes or are clever and elusive enough to avoid total destruction. I think this is the model that computers are moving toward.

    Viruses are proliferating, and many of them are not as flagrantly destructive as Code Red or SirCam. For instance, there was a report on Jerry Pournelle's site (I can't find it now, sorry, and I also apologize for the inaccuracies of memory) about a virus that infected PCs and switched their Wordpad file that transmitted the IP address of the infected computer to hackers in Russia. I could easily have three or four viruses on my PC of this insidious type and never realize that they were there unless the Russian hackers made a move against my PC. Inside me now are a few types of virus that never gave me a fever or other symptom and probably never will unless AIDS or something else compromises my immune system. I think taht computer viruses of this type are far more interesting and potentially dangerous. While I Love You, Code Red, and SirCam may be the Ebolas and Smallpoxes of the computer virus world, the more insidious types have the potential to be the Epstein-Barr or the HIV of computer viruses. Just as much of HIV's lethality and danger come from it's insidiousness and lack of early symptoms, I think a virus that could truly damage the internet would be insidious and slow. Viruses that are destructive in crude and quick fashion like I Love You are quickly eradicated. To do real harm, a computer virus, like a real one, must have time to spread.

    In response to the computer virus threat, we've created an immune system for computers, in the form of anti-virus software and now maybe in the form of anti-virus worms. Speaking as someone who's had anti-virus software make their computer unbootable, a cancer of the virtual world is possible too. Let's say there's a new virus, the "I sorta like you" virus. So, some enterprising individual sets up a program to respond to an "I sorta like you" email with anotehr worm that fixes the vulnerabiltity. Now let's say this program gets widely distributed, so when poor User X's computer becomes infected everyone in his address book has the program. So, poor User X gets this worm from everyone in his address book. For many people, this may constitute an effective DOS attack, as it will overwhelm their mailboxes. It may very well also increase the strain on internet capacity by doubling the volume of bad email flowing. (Assuming it isn't widely distributed enough to stop the initial outbreak) There is also the potential for all kinds of mischief in "helpful" worms.

    In DDOS attacks, (such as the ones reported on GRC) we see another similiarity to the natural world. We see one type of OS acting as a reservoir to attack computers running another OS. Masses of Windows machines are used to attack machines that I suspect probably run Linux or a UNIX variant. Almost like the mice that act as a reservoir of the Hanta virus that attacks humans. (The mass sending of packets also seems to resemble in many ways the mass multiplication used by "hot" viruses)

    So how do we prevent the kind of suffering that characterized the human expierience with disease from being visited on the modern world virtually? We need vaccines in the virtual world, in the form of the companies that make OSes and email programs taking responsibility for making them more resistant to viruses. We also need health education of the virtual world, in the form of ways to inform newbies about the myriad security holes that exist in their Windows boxes. Finally, we need an antibiotics of the virtual world, in the form of better anti-virus programs and more rapid and efficient distribution of anti-virus patches. One day, we may make our PCs healthier than we are.

    • I enjoy your analogy, and I must say I've had similar thoughts myself; however, I do believe that so-called 'vigilante' viruses could be of benefit.

      In the natural world, we use, as you indicate, antibiotics to ward off bacterial infection. One point you may have overlooked is the source of these treatements is overwhelmingly products of other microbes. That is, the antibiotics we use are derived from organisms such as fungi, or other bacteria.

      If we take from this analogy that fact, then we may expect that altering a harmful virus such that it attacks and destroys other harmfuls could be a very successful way of fighting it. As for your point that this could result in effective DOS attacks, measures could be taken to ensure that this would not happen. How? Because we (the good guys) would have full control over the distribution of the 'vigilante', just as we do for drugs in a patient. Writing a 'vigilante' to distribute itself in the same manner as the original would fall off the board in being analogous to a vaccine (which is a weakened virus incapable of replicating itself extensively); instead, it would just be another form of the virus itself. So, constructs such as web watchdogs could be used to identify vulnerable machines first. Then, they could be checked for infection. The infected "patients" could then be used to alert the watchdog of other machines to check for vulnerability (via mail list), and repeat. The key point is: watchdogs could be trained NOT to check machines that have already been checked (by catalogging checks to a large DB), thus ending a DOS attack scenario. It would be a large task to accomplish, but it is not out of the question.

      We already have 'protection' against attacks in machines that are given frequent security updates. While downloading the latest patches doesn't insure one from recieving a brand new virus, it does hedge the spread of that virus. The main problem, as I see it, is that incompetent Admins often fail to realize that they are vulnerable, or that they should download a security patch post haste. I guess they never learned: an ounce of prevention is worth a pound of cure.
    • Where the analogy falls down is that cures for diseases in people have to be thoroughly tested in controlled circumstances before release. However well intentioned, someone releasing a "cure" into the wild is like me offering some home-grown concoction as a cure for AIDS. Remember thalidomide. Unintended side effects are almost inevitable in complex systems.

      Maybe we need the equivalent of testing on animals - Windows ME users on a private network.

  • The most effective way stop the spread is to destory them all. If all susceptable machines are put down, preferably permanently, then the worm won't spread.

    Thats what our beloved Tony has done to all our livestock, so it must be a good plan. Foot and Mouth was decided to be so important the Govt ignored the law so...

    Or should we just wait for some malicious little hacker to trash all vunerable machines for us.

    --I would be working but my license ran out :-)

  • Ok, so somebody go make a servlet out of this. I am already running a web server with a servlet engine (tomcat), so I can't just set up a standalone program listening on port 80.
  • code red vigilante (Score:5, Informative)

    by perdida ( 251676 ) <thethreatproject@@@yahoo...com> on Tuesday August 14, 2001 @07:15PM (#2170388) Homepage Journal
    See the Kuro5hin.org story on this issue..here [kuro5hin.org]

    Basically you are penetrating an already 0wned computer, but this still exposes you to liabilities. It's a precipitation of the libertarian or wild wild west version of the Internet. The thing to do is to get a respected authority, such as the FBI or the police, to notify the 0wned, hence saving yourself from accusations of propagating Code Red or being a cracker yourself.

    • I think this is the correct link: http://www.kuro5hin.org/story/2001/8/8/53543/46803 [kuro5hin.org]
    • This is a serious issue with programs going back to 'patch' infected machines. It doesn't matter that you're being helpful or alerting an admin of a problem. It's illegal because you are making access to a computer that you are not authorized.

      better idea (that's legal too!) - have an AI module or something look back at an infected server and see if it is indeed an operational website as opposed to someone who isn't aware IIS is on their machine. Have that AI mod attempt to find a webmaster@server email address and send a *friendly* looking email to there advising the person to the problem. One with links to CNN and MS websites about Code Red will also be more effective, as the person can verify that Code Red is indeed a true threat. Links to technical specs of the virus may scare the person from doing anything.

      Another idea would be to do a reverse DNS lookup on the infected IP address. If there's a result, lookup a dns contact info via whois, and again generate an appropriate email to that address.

      These can be automated quite easily by embedding the code in a CGI that goes by the name default.ida (and running on apache or some other non-IIS system). When a string of N's or X's (or whatever the current strain does) is detected, jump into action.

      • I realized a possible faw with the AI plan. If the server is code red infected, attempts to look at the website will most likely return a "Hacked by Chinese" page.
      • the codered machines attacked me first, i was just acting in self defense to avoid being attacked again.

        • hmm, interesting take on the situation. i guess that could fly, but then again, IANAL
        • Or take a different approach: They sent me a request, I am simply sending back a stream of data to fulfill that request. I may interpret their request in any way that I see fit.

          Them: "Oh, but the computer sent that request without my knowledge!"

          You: "No problem, my computer answered that request without my knowledge."

          Self defense or not, they are requesting data from your computer.

    • Are they penetrating the computer? Or emailing postmaster@ ? The Code Red Vigilante pages weren't very forthcoming, and that K5 like was completely offtopic.

      If they are penetrating the computer in response, then I agree with your statement, if it's a simple "when scanned by foo, email foo" then surely there's no issue there? Although.. it might be annoying to get 4000 emails saying a machine you don't administrate is infected :}
      • Just because "masturbation" means that you "masturbate", it doesn't follow that "administration" means that you "administrate".

        Administer your box -- it's the right thing to do.

      • by jeffy124 ( 453342 )
        it took me a moment to figure it out too, so dont feel bad ....

        what the program does is set up a listener on port 80 of your machine. When GET requests come in matching that of Code Red trying to spread, the program drops those requests, then connects back to that machine via it's IP address and exploits the same hole Code Red does, but this time it causes a simple dialog box to suddenly appear on the infected deskop, telling the person who's currently sitting in front of the machine of the problem and what to do. He has screenshots of that dialog at the bottom of the page.

        the author of the program says hes already gotten an email from someone saying that he asked his ISP about Code Red, they told him he shouldn't be concerned because code red doesnt infect "home machines." go figure :/

        • That's funny... the 3600 code red infection attempts that have hit me have ALL been from "home machines". You know, the ones running the copy of Windows 2000 Server that somebody brought home from work? Or the ones that have IIS installed, but don't know what it is, so they haven't removed it?

          These are apparently way more common than I thought, because I'm being flooded with hits from Cable/DSL users, and especially Sprint Broadband (my ISP).

          Of course I'm running Apache... and I've already had numerous friends who were misinformed similarly about the virus...

          One friend heard about it on CNN that it "affected Windows" and he thought he HAD the virus, because he has Windows 98 and it started to slow down.

          One friend runs Windows 2000, but he's a bit smarter - he does not have IIS installed, and has a firewall. And his firewall has big logs of people trying to infect him. :)
    • beyond the fact that I don't what to get in legal trouble.
      Is it possible to bounce the "Code Red Vigilante" http requests via a web anonymizer service over SSL?

      Any moral problems here a minor, ultimately if a machine you own is sending a potentially harmful http request to my machine, I don't see any problem sending a less harmful one back.
    • by Pii ( 1955 )

      You are not penetrating the remote system...

      That system has initiated an HTTP request to your system, and you are merely fulfilling that request.

      It's just like when you choose to browse a web page, and it includes some Java, or Javascript. When you initiate the connection, you get what you get.

      Can you sue some website just because they toss a few pop-up windows at your screen?

      Besides, the owners of infected systems are negligent, as the patch to this vulnerability was released by Microsoft almost 2 full months ago (June 18th). Their negigence is contrinuting to this modern day "Tragedy of the Commons."

      F*** 'em.

      • You are not penetrating the remote system...

        Correction: By using that software, you ARE penetrating the remote machine. The Java code takes the Code Red http attempt to spread and drops it, then fires back at the same hole Code Red exploits and causes the pop-up. The software is causing a pop up to appear on that machine, which can be viewed as a penetration from your machine into the remote machine. This is can be viewed as illegal because you are knowingly making access to a computer system which you have not been authorized.

        I agree that negligent admins are to blame at this point. But that doesnt matter to the legal system (at least in the US).

        At least in theory, if company Z's SA gets such a pop-up and wants to sue the guy ran Code Red Vigilante and caused the popup, the press could gobble up this as company Z failing to follow good security practices and result in a bad taste for Z's customers. So in reality, no lawasuit suit or other legal action may actually come out as a result.

        • Here are a few ideas I just sent off to CRV:

          There are a lot of people out there (/. is where I've been following this) that are reluctant to initiate remote access to a machine. I have done a little digging around at work, where we have most different versions of Windows, and figured this much out:

          You can use the 'net send ip.ip.ip.ip message' to initiate a popup window on an NT or 2K box, but you can only specify an ip address from 2K. NT will only work with locally networked machine names, not ip addresses, and 98 doesn't have net send.

          I have a few ideas on this, to protect those of us who are squeamish about using an 0wned box. I do a little embedded stuff, but am not a programmer per se, especially not Java or Windows, but:

          Can we (as a community) reverse engineer the 2K 'net send' protocol and create a (probably java-based) popup generator for 95/98/NT/Linux? This will send a message from your computer to theirs, without using their cracked box to do it. This would be a more favorable solution, as it would keep the workload distributed rather than client-server.

          Or, can we create a java-based tattle tale app that reports offending IPs to someone outside the US or who just doesn't give a crap? ;) They could then send the LOCALHOST message. I suppose this could be done very easily with some 2K servers which provide some (limited!) access to the 'net send' command, and each java client could access that command (with the admin's permission of course, that's my whole point).

          • Can we (as a community) reverse engineer the 2K 'net send' protocol and create a (probably java-based) popup generator for 95/98/NT/Linux?

            How about smbclient -M in samba? The only problem I see with this is that you're going to need RPC connectivity to the infected system. If the system is behind any kind of firewall, chances are the appropriate ports aren't going to be available....hence the CRV solution of using the 0wn3d box to send itself a popup...
            • Would a server running IIS necessarily have mail services on? Is there any other way to passively alert the admin? At least in my neck of the woods (RoadRunner cable modem), almost none of the IPs attacking me have sites up. I've heard some web development tools install IIS without necessarily explaining what's happening in detail, and that seems to be the norm on cable, unless the worm deletes index.htm? and/or default.htm?. I went to try and harvest some admin email addresses, and couldn't find a page on many tries.

              Any other ways to non-maliciously get someone's attention in NT or 2K if you merely know their IP address?

        • then fires back at the same hole Code Red exploits and causes the pop-up.

          Not completely correct. The Java code is not using the hole that Code Red exploits. It's exploiting the hole that Code Red creates.
        • If you think about it, the vigilante code is really just sending a message to the owner of the system. Passing messages would not normally be considered breaking in.

          As an analogy, consider it the equivalent of laying a message inside of an open door.
  • by Rudeboy777 ( 214749 ) on Tuesday August 14, 2001 @07:16PM (#2170392)
    ...revolt amongst some judges over their ability to look at Britney Spears and download Metalica mp3's at work.

    I think we have a new champion for the dictionary definition of irony!
    • did you read the article?

      The 9th circuit is all but in revolt over the very kind of constraints of fredeom that /. gets worked up about

      They are certainly gong to all be far more aware of the issues once this is all over.

  • With the times (Score:2, Insightful)

    by yali ( 209015 )

    "We are going to have to rule on the legality of this," he said, "because employers all over the country are doing this."

    Are, were, have been for the last ??? years... This reminds me of Sandra Day O'Connor's contempt that people in Florida couldn't follow allegedly simple voting procedures (the folks at the country club where she votes just mark "Republican" all down the ballot for you and hand you a martini), or George Bush the First's amazement a infrared scanner at the grocery store late in his term (he hadn't been to a grocery store in years). Welcome to Everybody Else's America, judge!

  • Clarification (Score:5, Insightful)

    by Sheldon_Brown ( 514313 ) on Tuesday August 14, 2001 @07:22PM (#2170411)
    At issue is whether it is legal and ethical for officials in Washington to check to see if any of the judiciary's 30,000 employees, among them nearly 900 active judges and hundreds of semiretired ones, use their computers for pornography, streaming video or music.

    While this is certainly what the esteemed newspaper reporter has printed, we must ask ourselves: is it true? That is, is the monitoring program they have installed so brilliant, so incredibly artificially intelligent, that it can distinguish these three things: "pornography, video, and music" from everything else the judges might be looking at? Or is it (as I might believe to be the case) that the program is far less intelligent than the reporter claims, that the program simply monitors what web pages are viewed, and reports & tracks this at a central authority. Perhaps the judges don't wish any central authority to know that they are reading www.2600.com? Or perhaps that they are posting to weblogs as "Anonymous Coward", writing tracts such as "IANAL", which we all know means "I am not a lawyer (i'm a judge)" but which might be construed as pornography (I ANAL).

    I think we must petition the reporter to check his facts at once.
    • Porn detection is easy. Much of it (SoCal organisations anyway) is fed from a very small number of very large server farms. Any admin connected with the industry can recognise these by their IP. Although this only detects a fraction of all possible porn, any access to numbers in these blocks is a very reliable indicator of at least some porn content.

      Statistically, a porn consumer is also likely to have hit at least one of the sites connected with these cartels.

      I work with web-streamed video. Talking to porn webmasters is essential to my work, because these are the guys who had to solve all my problems a year before I knew I had them, and (respect due) they're almost the only profitable part of the dot.com game.

      PS - Good to see you on Slashdot, Sheldon.

    • Re:Clarification (Score:5, Informative)

      by rgmoore ( 133276 ) <glandauer@charter.net> on Tuesday August 14, 2001 @07:49PM (#2170464) Homepage

      I don't think that this is an issue of bad research as much as it is one of bad writing. It seems pretty clear from some of the other comments that the author does understand that it's necessary to monitor everything in order to see if the people in question are surfing for pr0n, etc. Take for instance the quote:

      "My biggest concern is that signing off on these proposals opens the field to allow monitoring of every keystroke and basically makes an individual's computer an open book," Judge Kozinski said. "I don't think its appropriate for us to be forcing employees to give up rights wholesale without showing any need. If we did this with telephones, people would be outraged."

      The problem is one of bad writing. The author doesn't make it explicit that they judges are worried that everything they do is being monitored.

      One issue that's potentially pretty scary about this is that judges need confidentiality. The are sometime required to seal documents, rule on the admissability of trade secrets, and generally deal with things that are supposed to be given strictly limited circulation. Putting monitors on their computers so that people back in Washington can see what they're doing has the potential to undermine the confidentiality of their work, and the implications of that are very serious indeed.

      • Being in the Information Security department for a large brokerage house...I can speak "authoritativly" on this. One: Why in the world would a judge be doing something confidential over the net?! If so, it should be encrypted, which the individual monitoring wouldn't be able to read anyway. Two: Since when do people have the "right" to surf porn at work on company time on computers they don't own? I have no problems with people surfing porn or downloading mp3's...but doing it at work is just irresponsible. Besides, the judges should know the legal aspects of surfing porn at work and sexual harassment laws. Just a couple of points I think people tend to overlook...
    • They aren't going to look at the compressed video streams, but when you get sent the plain text header for the file hot_sexy_porn.rm, it gives it away.
  • by Jailbrekr ( 73837 ) <jailbrekr@digitaladdiction.net> on Tuesday August 14, 2001 @07:50PM (#2170467) Homepage
    The vote stems from a conflict that has been simmering since this spring. At issue is whether it is legal and ethical for officials in Washington to check to see if any of the judiciary's 30,000 employees, among them nearly 900 active judges and hundreds of semiretired ones, use their computers for pornography, streaming video or music.

    So I guess the judges are forbidden to actually see the capabilities of the internet, but merely listen to half baked descriptions and accusations from the various special interest groups?

    My Grandmother had a saying "Believe none of what you hear, half of what you read, and all of what you see". This filtering bullshit will SERIOUSLY impede the judges ability to make an INFORMED decision.

    • Correct me if I'm wrong, but downloading pornography, streaming video (mostly pornography again) and music are NEVER job-related activities, unless you're (a) a professional musician or (b) a hooker. Since few judges fall into these categories, I think we can safely say that filtering porn and music downloads will not affect the judges' ability to use the web for research and make informed decisions.

      Of course, if the filtering is broken then it will. But some reasonably smart filtering (better than the crap the libraries decided to use) would solve that. Alternatively, just set the software to forward a list of "suspicious" pages to the admin. A few hits on "sex" will be ignored; a few dozen hits will be checked. The basic knowledge that you can be found out will be enough to stop ppl using it for that. This is the way most companies work, and it works just fine.

      You want to do it on your home machine, go ahead. It's your machine, your network connection, and your money paying for the dialup. You want to use someone else's network, you have to play by the rules for that network.

      Grab.
      • Well, you asked, so I'll correct you. You are wrong. First of all, there are many reasons that one might have job-related needs to view material that gets filtered by all sorts of filtering mechanisms. Without even counting the piss-poor job that filters do, and considering only things that you would "want" to block, any judicial case involving hookers, pornography, the Internet, streaming services (which you ignorantly claim can only mean porn; lots of news broadcasts can be seen on the web these days, which you might know if you stopped surfing pron for a few), etc, etc, etc. So you are, in fact, proposing a situation where judicial decisions are being made in ignorance. Even if the system only tracks usage, not blocks it, what judge wants a black mark on his file for just doing his job properly? I know an ABC News producer who was grilled over her pron surfing at work: never mind that she was doing a story on internet pornography, how's THAT for a chilling effect?

        What the non-tech-savvy judges are finally grasping (and you have yet to understand), is that the entire range of surveillance activities that employers perpetrate may, in fact, be illegal. The reasoning is simple and obvious; it's illegal to fuck with the mail or tap people's phones, outside of narrow exceptions, so there is an obvious conflict between the law and the frighteningly common view that mere ownership of equipment by an employer abrogates all rights of citizens of this once free country.

        So there.

        • "So there." Well, that's me told! *bg*

          Yeah, guess you're right about the news footage. Although it's not that widely used since most of us don't have good enough connections (30 minutes delay to watch 2 minutes of footage is a shitty deal IMO, although I guess judges would have better links than that! :-)

          The ABC news producer was "grilled"; does that mean "formally reprimanded" or just "asked why she was doing it"? The former would be ABC having their heads up their ass; the latter would be completely normal and no big deal. She could have avoided the latter with a 2-line email to IT and her manager, if she'd thought about it for a minute or two beforehand.

          I'm not proposing making decisions in ignorance. I said that where the case in question requires access to this information, the judges should have unrestricted access to that information. I also said that these would be unusual cases which would not occur very often, so making these a special case is justified. I stand by this. Does every case involving hookers require the judge to spend a couple of hours watching pr0n on the Internet? This is only justified if the case involves some bizarre form of video (like those crush films that came up recently), and this kind of case will only come up a few times a year in the whole of the country!

          It may be illegal to mess with the mail; OTOH it's perfectly legal for your employer to open letters sent to you at work, on the grounds that these are sent to you as a representative of the company, not as a private individual.

          Grab.
    • If we can't trust our law enforcement officials, who can we trust? (Certainly not the common Joe.) This does cause an intriguing kind of infinite regress of monitoring.

      On the other hand, an ignorant law enforcement system can be manipulated. (Gripping hand, usually those with money and power end up more successfully manipulating it then geeks.)

  • One thing that would be really cool would be to use my ZX spectrum to play against the really good players at Freechess. Maybe I could beat them just ONCE! :-)
    • Some good players can tell the difference between computer and human styles of play. Ask the Freechess admins to set the Computer flag on your account so it's legit and they can't complain. It might be amusing to see how your ZX stacks up in one of the weekly tournaments.
  • by codewolf ( 239827 ) on Tuesday August 14, 2001 @08:18PM (#2170513) Homepage
    "My biggest concern is that signing off on these proposals opens the field to allow monitoring of every keystroke and basically makes an individual's computer an open book," And all along I had assumed that when at work, the computer I was working on was my employer's property, and they could monitor it. Maybe all laws should be tested on the legislators (and judicial branch that upholds such laws) so they can feel the effects. Heh, maybe it would even lead to police and the US President following some of the laws that the rest of us have to live under.
  • by partridge ( 207872 ) on Tuesday August 14, 2001 @08:23PM (#2170521)
    I've figured out how to save WEP. All we have to do is stop those damned scientists from posting their findings. So all we have to do compose a little tune, encrypt it with WEP, and then sue them to prevent them from presenting their findings under the premise that it is an illegal code-breaking program designed to deprive us of our rights under the DCMA.
    • Why would you want to save WEP? It was a bad protocal to begin with, and it was an incredibly weak encryption.

      The people who designed it knew that it would be broken, and it was only a matter of time.

      The point is that you are supposed to use strong encryption in software over such a link, if you care about security at all. WEP was really a false sense of security in the first place.

      And a false sense of security (non-broken WEP) is worse than no security at all (broken WEP).
  • 802.1x, not 802.11x (Score:3, Informative)

    by Adam J. Richter ( 17693 ) on Tuesday August 14, 2001 @08:45PM (#2170591)
    The security standard in question is 802.1x, not 802.11x, because it is theoretically not specific to wireless, although the distribution of per-session WEP keys is. You could, for example, use 802.1x to authenticate conference attendees to use ethernet ports in conference rooms.
    • Yup, and to further convolute things, the wireless specific implementation of this is 802.11e
    • Indeed. This is quite correct.

      I, for one, am waiting for peoples to realize that 802.1x *is* the International Standard Cookie Monster protocol. Every time your authorization to access the network expires you'll be prompted for your identification.

      Unless, of course, you aren't-- in which case, what's the point of deploying 802.1x?

  • I'd protest for my right to view pr0n, too, if the only way to forcibly remove me from my job is through impeachment. These judges literally have nothing to lose, the best the people in DC can do is bitch and moan.
  • by droyad ( 412569 ) on Tuesday August 14, 2001 @09:35PM (#2170760)
    Some times Judges have to use the internet for reasons that are proper, but copuld be construed as "bad"

    The judge in the napster case would have to use napster and download music to make a informed descision.

    The judge in Flint Vs US had to look at pornos

    and the judge in State Vs Micro$oft had to use IE.

    Judges should be trusted to make thier own descisions about what they look up. If they are afraid of accessing material to make an informed choice, because of possible bad publicity, that is BAD
    • Sometimes yes, but that's an incredible minority. Sometimes an investigative reporter will have to as well, but does that mean that every employee of every radio station, TV station and newspaper in the country should be allowed access? If one person needs access a year, out of an organisation of several hundred thousand, it's easier to make a special case for them than to let everyone go hog-wild. Don't forget that all these porn and music downloads will be slowing the network down, so a judge doing REAL work will be impeded!

      Common sense, man. If you need access to it, you ring IT, tell them "I'm doing some investigation of XYZ, so don't be surprised if some dodgy pages show up". Job done. Takes 30 seconds at most, and the cost of a phone call. As against months of investigations, hundreds of thousands of dollars wasted...

      Grab.
  • by Decimal Dave ( 411182 ) on Tuesday August 14, 2001 @09:55PM (#2170822)
    ...then why don't they just buy their own box to use in the office?
    • Because they'd still be using their employer's network, at a cost to them.

      Basically, I have no problem with staff of any organisation at any level being disciplined for inapproriate use of computers, whether that be porn, MP3 or whatever. The firm puts the computers there so the employee can do their job, not so they can see tits and ass (and whatever else!).

      If an individual wants to look at porn or listen to MP3, do it at home on your own PC using your own network/modem.

  • In accordance with my new resolve to better plan ahead, I hereby claim First Post on Michael's future Slashdot article "Poor, misunderstood hacker jailed by clueless, corrupt judge for anti-Code Red vigilanteism." (from the no-i-mean-cracker-no-wait-i-mean-hacker dept.)

    What an idiot! I have zero sympathy for this clown who found exactly the trouble he was looking for.

    I'd grab FP on Jon Katz's follow-up about geek oppression and the tyranny of global corporations but I got bored after trying to imagine the eleventh paragraph.

  • The author of the Vigilante software cites an email he got from an infected user, saying that his ISP said he was not vunerable to the code red worm.

    This is the kind of attitude that supports the automatic patching/formatting of code-red infected machines.

    If someone could write another virus, that spreads like the code red worm that shuts down the effects of the worm and then tries to "infect" other machines, passivly or activly, for say a months time, it would greatly reduce the number of machines out there that are infected
    • Droyad said:

      "This is the kind of attitude that supports the automatic patching/formatting of code-red infected machines."

      I'm sure I remember someone telling me about a specific Worm or Virus (maybe a Torjan Horse, I can't remember - damn my crap memory) that when it entered your system, looked for a specific security hole, extracted the patch for it from its built-in code, patch your security hole for you and then spread itself out across the rest of the Internet...

      Hmmm, maybe this could be a way for Microsoft to actually have secure systems all over the world, by patching everyone's buggy, insecure systems with stealth patches while they're not looking? :-)))

  • So, if the judiciary were to file a lawsuit against workplace monitoring, would any judge in the USA be able to oversee the case as, well, an impartial judge? What if it got appealed to the Supreme Court, yet all nine sitting judges there were part of the plaintiffs?

    Actually, thinking about it for a bit, I'm pretty sure what the practical result would be, regardless of what the law (currently) says: Court of Public Opinion. ;)

"The chain which can be yanked is not the eternal chain." -- G. Fitch

Working...